1. Technical Field
The present invention relates generally to an improved distributed data processing system and in particular to a method and apparatus for client authentication and/or application configuration. Still more particularly, the present invention provides a method and apparatus for client authentication and/or application configuration using smart cards.
2. Description of Related Art
Security is a significant issue in the computing industry. Most computer systems employ user identification and a password for verification of a user prior to allowing the user to access data within a computer while maintaining a secure environment for computing. With client authentication, the issue is validating that a particular client is who the client says that it is. Once a client is authenticated, then the identity also may be used to access various resources, such as applications or databases. Beyond access control, personalized configuration or personal defaults for a user is another issue of interest. Personalized configuration or personal defaults involves being able to tailor computer system behavior based on client identity.
Up to now, schemes involving using a smart card for identity assumed that all access to a system would be made using the smart card and did not address the equally important issue of personalized configuration. One problem is that a given system user may be mobile and that the user may find, on occasion, a need to use a different computer system other than the normally assigned computer system.
Whilst smart card technology has evolved rapidly, significant limitations still exist as to the storage available on such a card. A smart card is typically a credit card sized device containing an embedded processor that stores information. Smart cards are typically used in computer security for authentication of users to various computer systems. The industry preferred technology for secure access today is based on public key algorithms using standard based certificates and encodings. Because of this, in conjunction with the need to represent roles and allow distributed rather than centralized administration of certificates, the size of an end user""s Public Key Infrastructure (PKI) key-ring often will exceed the storage capacity of even the largest smart card.
Historically, before PKI exploitation, a typical user may have several identifiers and passwords for which the user is responsible. For example, a user might have one user identification and password to gain access to the user""s workstation, another user identification and password to gain access to a terminal emulator, another user identification and password to gain access to electronic mail, and yet additional different identifications and passwords used to access different applications. In many instances, these passwords are set to expire after certain dates to improve security, which means that each of the passwords will have rules for creating the password (such as five alpha numeric characters with the second character being numeric) and set expiration dates (such as 30 days, 45 days, or 60 days). The configuration of computer networking becomes unmanageable quickly because it is extremely difficult to keep all passwords and user identifications synchronized. As a result, many users resort to writing their user identifications and passwords on a piece of paper, somewhat eliminating the security benefit intended by the passwords. Even personal users of a computer network may be faced with an excess of user identification and password requirements, such as a user identification and password for their Internet provider, one for electronic mail, another for various bulletin boards which a user may subscribe to.
A need has arisen for single sign-on products. These products are becoming available on the market place today. Many of these products keep a list of all the identifications and maps the user from one xe2x80x9csinglexe2x80x9d sign-on to the appropriate user identification/password pair for their destination. As a result, the user identification/password changes in the data stream transparently to the user. This approach, however, requires significant administrative effort to prime the database with the correct user/password pairs and require synchronization of password databases as passwords change or expire.
Therefore, it would be advantageous to have an improved method and apparatus for allowing client authentication to various servers and to allow access to configuration information for various software applications at whatever client computer a user may access.
The system and associated method provides for a method in a data processing system for accessing a target computer. A smart card is detected at the data processing system, which in turn queries the smart card for an indication of a location of user information. This target computer may be, for example, a host computer or another server in an Internet Protocol network. A secure channel is established with the location of user information. User information is retrieved associated with the smart card from the location. A connection is established to the target computer with the user information. Key to this invention is the ability to use this infrastructure for authentication when a smart card can not be used at the data processing system.